Primary

Context

WordPress Groups Plugin Insecure Direct Object Reference Vulnerability in Group Join Function

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Groups plugin for WordPress, affecting all versions through 6.7.0. The issue arises in the group_join function, where the 'group_id' parameter lacks proper validation, allowing authenticated attackers with Subscriber-level access and above to join arbitrary groups instead of those specified in the shortcode.

Impact

Exploitation of this vulnerability allows authenticated users to join groups arbitrarily, potentially leading to unauthorized access to group-specific content or features.

Remediation

Users are advised to update the Groups plugin to version 6.8.0 or later.

Added: Nov 8, 2025, 4:29 AM

Updated: Nov 8, 2025, 4:29 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.5

remediation

7.7

relevance

0.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.5

remediation

7.7

relevance

0.9

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WordPress Groups Plugin Insecure Direct Object Reference Vulnerability in Group Join Function

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating